diff options
| author | Kees Cook <keescook@chromium.org> | 2023-10-18 20:53:58 +0300 |
|---|---|---|
| committer | Kees Cook <keescook@chromium.org> | 2023-10-19 03:56:32 +0300 |
| commit | 0e108725f6cc5b3be9e607f89c9fbcbb236367b7 (patch) | |
| tree | 149102c39237fe844793971015c83202d0c9f699 /scripts/gcc-plugins/randomize_layout_plugin.c | |
| parent | faed498d0db78adc1eee6bab3a8480bcb7e17e6e (diff) | |
| download | linux-0e108725f6cc5b3be9e607f89c9fbcbb236367b7.tar.xz | |
string: Adjust strtomem() logic to allow for smaller sources
Arnd noticed we have a case where a shorter source string is being copied
into a destination byte array, but this results in a strnlen() call that
exceeds the size of the source. This is seen with -Wstringop-overread:
In file included from ../include/linux/uuid.h:11,
from ../include/linux/mod_devicetable.h:14,
from ../include/linux/cpufeature.h:12,
from ../arch/x86/coco/tdx/tdx.c:7:
../arch/x86/coco/tdx/tdx.c: In function 'tdx_panic.constprop':
../include/linux/string.h:284:9: error: 'strnlen' specified bound 64 exceeds source size 60 [-Werror=stringop-overread]
284 | memcpy_and_pad(dest, _dest_len, src, strnlen(src, _dest_len), pad); \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../arch/x86/coco/tdx/tdx.c:124:9: note: in expansion of macro 'strtomem_pad'
124 | strtomem_pad(message.str, msg, '\0');
| ^~~~~~~~~~~~
Use the smaller of the two buffer sizes when calling strnlen(). When
src length is unknown (SIZE_MAX), it is adjusted to use dest length,
which is what the original code did.
Reported-by: Arnd Bergmann <arnd@arndb.de>
Fixes: dfbafa70bde2 ("string: Introduce strtomem() and strtomem_pad()")
Tested-by: Arnd Bergmann <arnd@arndb.de>
Cc: Andy Shevchenko <andy@kernel.org>
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Diffstat (limited to 'scripts/gcc-plugins/randomize_layout_plugin.c')
0 files changed, 0 insertions, 0 deletions